BIOMETRICS CAN PROTECT OUR BORDERS ALONG WITH OUR PRIVACY

9 May 2019

Customs and Border Protection (CBP) has been expanding its biometric programs with the use of facial recognition technology for inbound passengers, achieving early success both in identifying imposters attempting to enter the U.S. and improving the efficiency of the screening process itself.

Based on this success, the Department of Homeland Security (DHS) recently announced efforts to expand programs to those departing the U.S. with the goal of covering 97 percent of outbound international travelers in the next four years.

As DHS applies facial recognition and other biometric technologies to confirm travelers’ identities and to intercept potential threats, it is important to look at how it balances travelers’ privacy with security goals.

Not surprisingly, the expanded use of biometrics raises questions about individual privacy, particularly in light of proliferating, high-profile data breaches that can affect — and should alarm — all of us.

As the lead agency for protecting our nation’s borders, CBP has evolved its process for identifying and screening passengers over time. In “the old days,” passengers flying into the United States would present their passport to a CBP officer. The officer compared the laminated picture within the passport to the person standing in front of them, researched available government data sources to determine if the traveler was high-risk, and conducted in-person interviews to determine if additional screening was necessary. While a sufficient process, it was time-consuming and dependent on CBP personnel to make accurate assessments and detect anomalies in real time.

Since 2005, CBP has required airlines to provide manifest data shortly after departure so officers can leverage existing targeting infrastructure and resources, including government documentation and photographs (such as passport and visa photos), to determine the risk of incoming passengers before they arrive. Upon landing, low-risk passengers are expedited through customs while CBP focuses its resources on higher risk passengers.

Today, CBP is leveraging commercially available biometric technologies to streamline and automate the already existing process of manually matching images from existing databases to individual travelers attempting entry into or exit from the U.S. The Transportation Security Administration (TSA) and aviation industry partners also are conducting biometric pilots across the country to expedite the traveler experience at the airport. These pilots are intended to confirm the identity of traveling passengers at various points in the airport ecosystem, with the goal of enhancing security while reducing friction in the travel process.

As stakeholders evaluate CBP’s deployment of biometric technology, I believe there are three areas where CBP has demonstrated best practices that meet the goal of promoting both security as well as an improved traveler experience. These include leveraging new technology for more efficient and effective screening; providing transparency around the collection and use of biometrics in the screening process; and voluntary opt-in or opt-out participation for other biometric programs:

Transparency. CBP and TSA have issued several Systems of Records Notices and Privacy Impact Assessments while inviting public comment and publicizing strategies and roadmaps to educate and inform stakeholders on the steps they are taking to leverage technology for the security of the traveling public. This level of transparency is critical to developing trust between travelers and the government. In an era in which commercial companies often use “terms of service” obfuscated with pages of legal language, the government is being clear about its use of biometrics.

Leveraging existing systems to make them more efficient. Where the Government already had access to — and used — biometrics through existing systems (such as photos from passports, visas, previous border crossings or trusted-traveler programs), the use of matching technology expedites old manual processes. This speeds the traveler experience and is more effective than manual visual comparisons. For example, automated matching of a facial or fingerprint biometric at the TSA screening checkpoint is likely more accurate and faster than a security officer’s visual driver-license check. These enhancements allow TSA to increase speed and security while reallocating officer resources to focus on detecting additional threats to aviation security.

Voluntary use. CBP and TSA strategies also require the ability to opt in or opt out of other biometric matching programs and third-party use of biometrics. Specifically, CBP programs allow passengers to opt out of technical demonstrations as well as the sharing of biometric information with third parties (such as airlines); TSA requires opt-in participation for its biometric trusted traveler programs at TSA checkpoints.

Many privacy advocates are concerned that the government could use the data for continuous surveillance without any suspicion of wrongdoing, to identify and track people without their knowledge. Critics claim that it’s an overreach for the government to require U.S. citizens to submit to facial scans to board a plane.

However, it is important to point out that CBP privacy policies only allow the biometric data to be used for identification purposes and that it must be deleted within 12 hours, in the case of U.S. citizens. Similarly, TSA is limiting its biometric programs to trusted-traveler programs, in which travelers have already chosen to share information.

In a time when we have seen rising concerns about stockpiling user data on social media, the use of biometrics by both the government and commercial entities must continue to be evaluated. Countries around the world are assessing the privacy exposure related to biometrics and facial recognition. The potential for commercial entities to combine biometric data with other user data — including geolocation, online activity, and retail purchases — has the potential to significantly expose sensitive information about private citizens.

While DHS’s pilot programs must be evaluated on a continuous basis, I believe that DHS has handled the implementation correctly. This should be the standard for other organizations and government entities looking to deploy biometric-based solutions that create a more secure, trusted environment for the public.

Lee Kair is managing director of The Chertoff Group, a security and risk management advisory firm. He served more than 15 years in senior executive positions at the U.S. Department of Homeland Security, including the Transportation Security Administration. The Chertoff Group is a frequent adviser to clients in the defense technology and aviation industries, including clients that work in identity management and biometrics technology.